Blog

Aug 11

New in Windows security: Automatically log off suspicious users

Microsoft has added rapid reaction to a year-old subscription service that will automatically shut down accounts - logging a user out of all managed apps and services, including those delivered by a third-party - at the first hint of suspicious activity.

The new feature in Cloud App Security (CAS), a security service launched in August 2016, collaborates with Azure Active Directory (AAD), another subscription service, to automatically bump off users behaving unusually and shut down accounts suspected of having been hijacked. CAS is built, at least in part, on technology Microsoft acquired in 2015 when it bought the Israeli cloud security vendor Adallom for $250 million.

"When a suspicious activity is identified in Cloud App Security portal, you can now initiate an auto-remediation action[,] logging off these users and requiring users to sign in again to Office 365 as well as all apps accessed through Azure Active Directory," according to an unsigned post to a Microsoft blog today.

CAS lets IT staff set a host of guidelines and policies to manage more than 15,000 third-party cloud-based apps - like Box or Salesforce - to prevent unauthorized data transfer, investigate suspicious activity and stop threats as they're discovered. The new account sign-off feature is an addition to a slew of remediation and reactions previously part of CAS, such as alerts on an administrative portal or texts sent to the on-duty admin.

The service costs $5 per user per month when purchased separately, but is also included in the $15 per user per month Enterprise Mobility + Security E5 plan. The latter contains AAD Premium P2, Intune, Advanced Threat Analytics and other tools. Because it's part of Enterprise Mobility + Security E5, CAS will also come with Microsoft 365 Enterprise when that top-of-the-line subscription launches later this year. (Microsoft has not revealed pricing for Microsoft 365 Enterprise, but it's expected to be around $50-$55.)

If a response or alert is triggered by an action or sustained activity - one example Microsoft gave was a user who never previously accessed Dropbox suddenly uploading 600GB to the service - the automatic log off will kick into gear, sign the user out of her AAD account, revoke all user sessions and invalidate all the refresh tokens issued to the managed cloud apps.

Microsoft classified the auto log-off as a "quick and effective remediation for suspicious user activity alerts and compromised accounts," signaling that it was a stopgap. The user could log into his or her account again, for instance, so a determined insider could continue theft; a more permanent solution would be to disable the account entirely.

CAS lets IT staff set the auto log-off feature during the initial policy creation stage, or, on the fly, directly from an alert that pops up on the portal.

CAS documentation is available on Microsoft's website; the technical support discussion forum is here.

This story, "New in Windows security: Automatically log off suspicious users" was originally published by Computerworld.